Principal Application Security Architect at Santam Insurance

KEY RESPONSIBILITIES

• Driving a comprehensive application security strategy.
• Threat mitigation and risk management.
• Secure architecture and design.
• Vulnerability management and code reviews.
• Securing the development lifecycle.
• Collaboration and communication with development teams and other stakeholders.
• Protecting global assets.
• Understanding regional requirements.
• Lead the development and execution of application security assessments.
• Ensure applications comply with all relevant security standards and regulations.
• Champion a "security by design" culture.
• Develop and maintain application security documentation.
• Develop and manage risk mitigation strategies.
• Work with other security teams (e.g., security operations, etc.)
• Stay up-to-date on the latest application security threats and vulnerabilities.
• Application Security Incident Response and Cyber Crisis Management.
• Participate in Group Information Security Programme (GISP) initiatives.
• Application Security (including cloud security), Infrastructure Security, and Cybersecurity Education, Training and Awareness.
• Provide regular feedback to Santam Manco on Group-wide application security issues.
• Clear and timely communication to management and users regarding application security matters.
• Application Security Risk assessment that identifies a requirement for additional awareness or targeted education, training, and awareness interventions.
• Review and respond to all application security-related audit findings.
• Produce required application security reports.
• Ensure that security 'gates' are a formal part of the SDLC/ Agile/ relevant solution development methodology.
• Active participation in Sanlam-sanctioned industry bodies (e.g. ISF Live, ISACA, FS-ISAC)
• Timeous escalation of new, high or escalating cybersecurity risks.
• Engage with application owners and the Group Cyber Security Centre (GCSC) Operations Team to ensure that system vulnerabilities identified during penetration tests, Red Team exercises, or vulnerability scans are addressed.
• Ensure that the Group CIO is aware of risks and actions required.
• Find & provide root cause analysis and implement permanent and/or long-term fixes for application security-related incidents.
• Strong understanding of integration between Workstations and Network/Servers

QUALIFICATIONS AND EXPERIENCE

• A bachelor’s Degree or Diploma in Cybersecurity, Computer Science, Information Systems, or a related field, or equivalent work experience.
• A Recognised Cyber Security Certification(s) (e.g., Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), Certified Ethical Hacker (CEH), or similar certification will be an advantage.
• With 15+ years of experience in software engineering, a significant portion of that in an architectural position focusing on cybersecurity within complex organisations, preferably in the financial services sector. The incumbent must have a solid technical software engineering background with a deep understanding of cybersecurity concepts, threats, and vulnerabilities.

COMPETENCIES

• High Stress Tolerance.
• Building and maintaining relationships.
• Teamwork and ability to function independently.
• Facilitation Skills.
• Adaptability.
• Attention to detail.
• Planning and organising.
• Ability to work independently.
• Interpersonal savvy.
• Decision quality.
• Plans and aligns.
• Optimises work processes.
• Being resilient.
• Collaborates.
• Cultivates innovation.
• Customer focus.
• Drives results.
• Sensitivity to Risk
• Balances Stakeholders
• Reporting and Administration

ADDITIONAL COMPETENCIES AND SKILLS

• Programming Languages: It is crucial to understand the security considerations of languages like Java, Python, C#, JavaScript and emerging ones like Kotlin.
• Web Technologies: Familiarity with HTML, CSS, JavaScript frameworks like React and Angular, and web application security concepts is essential.
• Mobile Development: Security expertise in Android, iOS, and cross-platform frameworks like Flutter helps secure sensitive data on user devices.
• Cloud Security: A deep grasp of cloud platforms like AWS, Azure, and GCP and their security implications is vital for secure cloud deployments.
• API Security: Understanding API security best practices is critical to prevent unauthorized access and data breaches.
• Vulnerability Understanding: In-depth knowledge of common and obscure vulnerabilities in various technologies allows for accurate identification and exploitation for testing and mitigation purposes.
• Secure Coding Practices: Expertise in secure coding principles and best practices for different languages and frameworks empowers proactive vulnerability prevention.
• Threat Modelling: The ability to analyse application architecture and functionality to anticipate potential attack vectors and proactively address them is crucial.
• Security Scanners and Code Analysis Tools: It is vital to understand how to use these tools to identify vulnerabilities in code and recommend remediation strategies.
• Penetration Testing Tools: Familiarity with these allows for thorough vulnerability assessment and simulating real-world attack scenarios.
• Security Incident Response Tools: Knowledge of incident response tools and methodologies helps them effectively handle security breaches and minimize damage.
• Cryptography and Encryption: Understanding encryption algorithms and their application in securing data is essential.